Cyber Security and Global Information Assurance

Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions Kenneth J. Knapp U.S. Air Force Academy, Colorado, USA

Information science reference Hershey • New York

Director of Editorial Content: Senior Managing Editor: Managing Editor: Assistant Managing Editor: Typesetter: Cover Design: Printed at:

Kristin Klinger Jamie Snavely Jeff Ash Carole Coulson Chris Hrobak Lisa Tosheff Yurchak Printing Inc.

Published in the United States of America by Information Science Reference (an imprint of IGI Global) 701 E. Chocolate Avenue, Suite 200 Hershey PA 17033 Tel: 717-533-8845 Fax: 717-533-8661 E-mail: [email protected] Web site: http://www.igi-global.com/reference and in the United Kingdom by Information Science Reference (an imprint of IGI Global) 3 Henrietta Street Covent Garden London WC2E 8LU Tel: 44 20 7240 0856 Fax: 44 20 7379 0609 Web site: http://www.eurospanbookstore.com Copyright © 2009 by IGI Global. All rights reserved. No part of this publication may be reproduced, stored or distributed in any form or by any means, electronic or mechanical, including photocopying, without written permission from the publisher. Product or company names used in this set are for identification purposes only. Inclusion of the names of the products or companies does not indicate a claim of ownership by IGI Global of the trademark or registered trademark. Library of Congress Cataloging-in-Publication Data Cyber-security and global information assurance : threat analysis and response solutions / Kenneth J. Knapp, editor. p. cm. Includes bibliographical references and index. Summary: "This book provides a valuable resource by addressing the most pressing issues facing cyber-security from both a national and global perspective"--Provided by publisher. ISBN 978-1-60566-326-5 (hardcover) -- ISBN 978-1-60566-327-2 (ebook) 1. Information technology--Security measures. 2. Computer security--Management. 3. Cyberspace--Security measures. 4. Data protection. 5. Computer networks--Security measures. I. Knapp, Kenneth J. QA76.9.A25C918 2009 005.8--dc22 2008052439 British Cataloguing in Publication Data A Cataloguing in Publication record for this book is available from the British Library. All work contributed to this book is new, previously-unpublished material. The views expressed in this book are those of the authors, but not necessarily of the publisher. Cyber Security and Global Information Assurance: Threat Analysis and Response Solution is part of the IGI Global series named Advances in Information Security and Privacy (AISP) Series, ISBN: Pending

Chapter I

Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities Jaziar Radianti University of Agder, Norway Jose J. Gonzalez University of Agder and Gjøvik University College, Norway

Abstract This chapter discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. It is difficult to collect statistics about BMs for vulnerabilities and their associated transactions, as they are hidden from general view. We conduct a disguised observation of online BM trading sites to identify causal models of the ongoing viability of BMs. Our observation results are expressed as a system dynamic model. We implement simulations to observe the effects of possible actions to disrupt BMs. The results suggest that without interventions the number and size of BMs is likely to increase. A simulation scenario with a policy to halt BM operations results in temporary decrease of the market. The intervention ultimately meets policy resistance, failing to neutralize a reinforcing feedback. Combining the policy with efforts to build distrust among BM participants may cause them to leave the forum and inhibit the imitation process to establish similar forums.

INTRODUCTION Cyber security is a challenging problem for various computer network users and administrators, both in public and private sectors. The defense capability of cyberspace users commonly lags behind that of malicious attackers who are quick in discover-

ing holes, weaknesses, flaws and vulnerabilities in hardware and software systems. Escalating costs of computer incidents increasingly puts the security of computer networks at risk. Failures in securing cyberspace are partially rooted in the software vulnerability problem. One emerging issue as a result of the undiscovered ubiquitous

Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.

Dynamic Modeling of the Cyber Security Threat Problem

flaws in software is the black market (BM) presence which allows people to trade exploits for vulnerabilities. The objectives of this chapter are threefold: first, to address general knowledge on discussions surrounding vulnerability discovery and the black market for vulnerabilities; second, to briefly illustrate our disguised observation in online BMs; third, to build a simple system dynamics model about how BMs spread. This chapter is divided into several sub-sections. We start the discussion with the problem background, followed by a description of the black market terms and the complexities to keep software secure. Next, we cover the history and background surrounding the vulnerability discovery and the development of the market for software vulnerabilities, whether legal or illegal. In other words, we describe the process from nonprofit-based vulnerability discovery process to profit-seeking discovery process. The legitimate market discussion in theory and practice is embedded to further show the connection with the underground trading problems. The subsequent sub-section deals with the dynamic model of BMs. We have used system dynamics (SD) models to map the causal structure of vulnerability trading. SD modeling supports iterative development, allowing us to refine and incrementally validate the model’s structure and dynamic behavior as empirical data emerge. For this chapter we present a simple, observation-based model to illustrate how the black markets may spread. In the last sub-section, we discuss future trends and draw conclusions.

BACKGROUND The vulnerability black market (VBM) discussions surfaced almost as the same time as the increasing public debates on the emergence of legitimate markets where vulnerability researchers can sell vulnerability information. The existence of black hat hackers has long been known;

however, a recent trend is that they are becoming profit-seeking (Itzhak, 2006). In the past, they searched vulnerabilities mainly to improve their opportunity for financial gain through successful exploitation. Lately the black hat hackers are developing easy-to-use attack tools and selling them underground. However, most of the research on VBMs is scattered, with limited systematic studies. Several security company’s reports, such as from IBM ISS X-Force (2007), PandaLabs (2007), and Symantec (2008) note the growth of malicious attacks, some of which may be the result of the limited circulation of zero-day vulnerability information. Symantec has been observing the black market forums operating in underground economy. According to Symantec’s report, the forums are likely to be used by criminals and criminal organizations to trade various goods and services for identity theft purposes. Therefore, Symantec’s report considers the emergence of black markets for zero-day vulnerabilities as a serious threat. However, it is premature to connect an increase in malicious attacks solely to the presence of VBM’s. The IBM report links underground sales and markets for Web-browser exploits to the obvious growth in targeted attacks against specific customers and sites. PandaLab’s report even reveals the price of malware kits sold underground. These data indicate indirectly that there are software developers and black hat attackers exchanging information about targets and tools. Such information exchange would be the core of a VBM. Basic questions emerge: Is the number of black markets increasing and how the do the black markets spread?

Black Market for Vulnerabilities: Definition, Issues and Problems In this sub-section, the goals are threefold. First, to clarify the idea of some essential terms, such


as “the market”, “the black market” and “the vulnerability black markets”. These terms will be discussed elsewhere in the chapter. Second, to present the discussion regarding the history of the vulnerability discovery and disclosure. Third, to see how the BMs for vulnerabilities issue is connected to these various discussions.

Terms The “market” term is mostly used by economists. The everyday, traditional notion of a market is a specific place where certain type of commodities are bought and sold. However, new emerging markets in recent days have more advanced properties than merely being a place for goods exchange. The economist Coase (1988, p. 7) criticizes that modern microeconomics textbooks deal with market prices determination but lack deep analysis of the market itself. Social institutions and factors affecting the exchange are completely neglected. The market structure concept introduced by economists is intriguing because it has little to do with social institutions, and instead refers to the notion of numbers of firms, access to the market and product differentiation. We now present varying definitions of a market. Gravelle & Rees (1981), for example, propose that “a market exists whenever two or more individuals are prepared to enter into exchange transaction, regardless of time or place”. Perloff (2007, p. 5) defines market as “a social arrangement that allows or facilitates buyers and sellers to discover information and carry out a voluntary exchange of goods or services”. A market is an exchange mechanism that allows buyers to trade with sellers. Parkin et al. (2005, p. 44) propose an almost similar definition, that a market is “any arrangement that enables buyers and sellers to get information and to do business with each other”. In orderly markets, enterprising individuals and firms benefit from goods and services transactions. However, Parkin et al. also underline the importance of the property rights as a prereq-

uisite of markets to operate properly. Property rights regulate the ownership, use and disposal of resources, goods, and services. Therefore, contemporary economics differentiates between private goods and public goods. Private goods have the following properties: excludability and rivalry. Property rights are applicable for private goods, but not for public goods since they have non-rivalry and non-excludability characteristics. Markets coordinate individual decisions through the price mechanism. Mostly, market definitions are associated with the physical facility. Coase (1988) argues that markets require more than physical facilities for conducting buying and selling. However, for this statement, Coase points out the importance of the legal rules governing right and duties of those who conduct the transaction, and introduce “transaction costs” term. Coase (1988, p. 30) contends that without considering transaction costs it is impossible to understand properly the working of the economic system and have a rational basis for establishing economic policy. For this chapter, we extend the market discussion. We refer to the emergence of online commerce, which covers virtual marketplace, virtual trading, even virtual commodity in which buyers and sellers do not physically interact, since all transactions are conducted via the Internet. Hence, all sellers and buyers are not only physically dispersed but also virtually scattered. Regarding this fast changing phenomenon, Kahin and Varian (2000) note that actually, the economics of electronic commerce on the World Wide Web was beginning to take shape around mid of 1990’s. The increasing popularity of Internet usage does not only transform the way information is accessed and used in business, but also the nature of existing economic relationships and business models. Kahin and Varian (2000) point out that cookies and clicks, animation, linked words, pop-up windows and hyperlinks was among the advanced features of Internet’s commercial strategy to attract costumers and shape decisions.


To observe the shifting toward the informationbased “new economy”, DeLong and Froomkin (2000) utilize three pillars of market systems in traditional economy, i.e., most goods have excludability, rivalry and transparency properties. Excludability prevents people who have not paid for them from enjoying their benefits and are depletable or reduce the amount available to others. Rivalry prevents simultaneous good consumption by other consumers. Transparency deals with the ability of individuals to see clearly what they need and what is for sale, before taking a purchase decision. Information-based goods do not possess these properties and require different pricing and resource allocation. The absence of excludability, e.g., television broadcast, does not reduce the availability of programs for others; it does not prevent others from enjoying it. Nonrivalry goods allow two to consume as cheaply as one. For example, the cost to produce an extra copy of software is almost zero. This situation creates a dilemma when a producer charges a price above the marginal cost. In addition, information goods are no longer transparent. Furthermore, DeLong and Froomkin (2000) examine various pricing policies and virtual business practices such as the market for software (shareware, public beta), shop-bots, online auctions, meta-auction sites, and bidding services. DeLong and Froomkin suggest that the non-excludability, non-rivalry and non-transparency characteristics of information goods may affect the structure of the New Economy; economists need to answer some challenges in this era. From the aforementioned description, we learn that the nature of the market has changed in the “new economy” and possess following attributes: the information-based market precludes the traditional characteristics of market systems, and operates as an online economy. We return to the issue of a market definition for our case. Based upon previous discussion, we propose to define a market as:

a place and social arrangement for conducting buying and selling regardless of the physical or virtual nature of the marketplace Next, we shift our focus to the black market term. The actual origin of the “black market” or “underground market” term is not quite clear, although it seems that the “black” term attached to the market is to indicate illegal activities occurring under the condition of great secrecy (Clinard, 1969, p. 2). According to available literature (Boulding, 1947; Clinard, 1969), the black market (BM) emerges because of government regulations for applying ceiling prices (due to scarcity problems of certain products such as food, gas or other luxury goods). The violations arise as over-ceiling, evasive price violation or rationing violations. The Merriam-Webster Dictionary defines a black market as “an illicit trade in goods or commodities in violation of official regulations”. The actors in the market tend to avoid identification by the public. The term of “black market” originally appears in the Second World War especially in the United States, when drastic regulations were issued, making it illegal to charge more than a certain ceiling price for nearly all commodities (Clinard, 1969). A BM not only emerges in wartime, as numerous prohibited goods are traded at any time (such as drugs, pornography, gambling, etc). Today, illicit trading in the black market still develops because of tight governmental regulations on various ranges of lucrative commodities. Basically, a BM operates outside the law and is driven by the opportunity for profit and the needs of consumers. BM covers a wide range of activities and commodities, from heavy industrial materials to items such as clothing, gasoline, shoes, sugar, cigarettes and alcoholic beverages. Therefore, the BM term also refers to goods trading that involves tax avoidance so that the customers find certain products less expensive in such a market (Bajada & Schneider, 2005; Ray, 1981). Some legitimate profitable and highly regulated


businesses are becoming opportunities for the proliferation of the BMs. The banned products in BMs can be smuggled or produced illegally, and the sellers yield profits based solely on demand. In brief, nearly all BM traits and activities deal with intricate, criminal and disobedient behaviors that might be considered as “crimes”. Beyond the traditional definition of market where buyers and sellers may have contact physically, nowadays innumerable virtual markets have developed to be marketplaces for various illegal commodity trading. The mixture of the popularity of Internet trading and the effortless creation of markets triggers the market for vulnerabilities’ exploits and pushes the market growth further. Perhaps there are similarities between wartime and today’s BMs: both may disregard the law, constitute illegal activities and be a place of commodity trading for malicious purposes. The trading is conducted in the “dark”, and avoids the open view of authorities. Having described various discussions previously, we turn next to the nature of our endeavor, to define what BM is. We define black market as: an arena or any arrangement for conducting illegal trading which takes place hidden from public eyes. The trading covers all motives such as to avoid government regulations, to trade prohibited commodities, or to trade commodities that may be utilized for malicious or criminal purpose. We are moving into the discussion about the black market for vulnerabilities. It is important first to clarify the definition of the vulnerability term, since in the computer security field the term covers diverse aspects of software, hardware and network. We skip the discussion on the various software vulnerability problems and vulnerability taxonomy. For a detailed discussion of this topic see Du & A.P Mathur (1998), Landwehr, Bull, Mc. Dermott & Choi (1994), Seacord & Householder (2005). For the sake of brevity, in this chapter we define vulnerability as:

bugs and flaws (caused by programming errors) that give rise to exploit techniques or particular attack patterns. The vulnerability black markets relate to the current discussion of the emergence of the market for vulnerabilities of zero days exploits. The discussion becomes a part of a broader discussion of various types of legitimate markets that established to provide monetary rewards for vulnerability information. Based on previous explanations, we define the vulnerability black market (VBM) as: an arena or any arrangement for illegal selling and buying activities to trade vulnerability exploits and malware or any products taking malicious advantage of the weaknesses in software and computer networks.

Related Works Recently, two empirical works were published relating to the underground market, from Franklin et al. (2007) and Zhuge et al. (2007). Based on the collected information, they examine the size of the underground black markets. Zhuge et al. focus on the aspects of the underground market that are visible as part of the World Wide Web. They examine the relationship between individual actors within the market and also study the size of the actual market. Zhuge et al. use a combined method to automatically browse the Web and analyze all content that may contain malicious sites on the Chinese Web. Franklin et al. investigate a large number of underground Internet Relay Chat (IRC) channels, and examine the advertisements of black market trading. The data was taken from archived IRC logs that contain 13 million messages. Their main focus is to find an underground economy which specializes in activities such as credit card fraud, identity theft, spamming, phishing, online credential theft and sale of compromised hosts.


Franklin, Zhuge and their co-authors are also concerned with the market mechanism, as we are. However, we also focus on how the black markets actually develop over time, by observing some key variables such as membership development, buying, selling, trading activities, and also threads development in the VBM forum.

Complexities to Keep Secure Software For our present purpose, we have divided the actors related to the vulnerability into four categories, i.e., software vendors, malicious attackers, security researchers and software users. This framework also incorporates the major issues related to the actors’ interest when encountering vulnerabilities, some possible motives behind their stance and some problems that may arise for conducting or disobeying their role. Within the framework presented in Table 1, we can look more specifically at the different issues related to the vulnerability from the perspective of different actors: Malicious attackers refer to virus and exploit writers and malware creators; attackers who continuously search for diverse methods and tools to attack the software weaknesses. People are aware that the motivation for finding the weaknesses in software is not only for notoriety or adventure, but also for more commercial motives, mainly for financial advantage.

The ideal situation when encountering the software vulnerabilities is that the non-malicious parties play their role, as they should be: Software vendors are supposed to develop more secure software and patch vulnerabilities as well as offer good protection to clients. Good quality software is important to build credibility and reputation among clients. But since software production is also clearly a profit-oriented business, the conjunctions of both motives sometimes create problems. One well-known problem is the dilemma between adequate software testing and market pressure to have more sophisticated software versions and to compete with other vendors in developing more attractive software products. In addition, a reward dilemma surfaces due to an ethical consideration or appropriateness to give monetary reward to security researchers who discover vulnerabilities. Security researchers are also key actors in the effort of securing software vulnerabilities, because of their skill to find any unrecognized flaws in the software. Vulnerability discovery has been a long time part of their interests, but the motives behind these efforts are various (such as gaining/improving reputation). A broader goal of announcing publicly the vulnerability may be driven by the more altruistic motive to enhance users’ awareness on possible exploitation of newly known vulnerabilities. Recently, the researchers’

Table 1. Vulnerabilities from the perspective of different actors Issues

Different Actors Malicious Attackers

Software Vendors

Security Researchers

Software Users

Interest

attack

secure software

flaws discovery

defense

Motive

- notoriety - adventure - financial gain

- credibility - profit

- altruistic - reputation - monetary reward

- protection - risk security mitigation

Problems

- searching opportunities - develop exploits

- buggy software - reward dilemma - market pressure

- reward maximization - channeling

- updates negligence


motive for the discovery effort is also driven by economic consideration.

Software users (including computer administrators) may defend their computer with new updates to mitigate security risks. Imbalance of this system happens because each actor plays inappropriately leading to more complex relationships and further software vulnerability problems: users do not patch, vendors produce buggy software, or software vendors do not reward security researchers, while security researchers (who can be black hat and white hat hackers) eventually trade their findings (they may sell to the security companies or to malicious individuals or even criminals). In addition, it is unclear how to channel the vulnerability discoveries and there are some disagreements among non end-user actors regarding how

to disclose vulnerabilities. These problems also involve the reward maximization issue whether to further engage in illicit trading. Researchers with altruistic and voluntary motives may be blamed for supporting the “full-disclosure” style because the discovery process creates unintended problems. The main intention to announce publicly the software flaw is to press vendors, but as an unintended effect, malicious actors might work faster to develop attack tools.

Tracing the History of Vulnerability Discovery We cannot neglect the history and problems surrounding vulnerability discovery and disclosure

Figure 1. Timeline of vulnerability discovery initiatives and approaches


policy, as well as the current discussion and development of legitimate markets, to understand the underlying factors influencing the emergence of the black market for vulnerabilities. Has the black market for vulnerabilities existed before the vulnerability disclosure and the emergence of the legitimate market, or did the black market surface because of the legitimate market? Is the legitimate market formed to attract hackers and security researchers or to contain the black market? In the literature related to the vulnerability markets, vulnerability discovery and vulnerability disclosure, the main debates regarding the vulnerability disclosure models can be split into three: vulnerability secrecy/non-disclosure (to suppress publication entirely until patches or updates are available), vulnerability disclosure (to publish full details) and responsible disclosure (to conceal some details). This sub-section also briefly reviews the emerging profit motive vulnerability discovery. The history of the vulnerability discovery is shown in Figure 1. The sources utilized in the diagram are cited throughout the description of this section.

Vulnerability Secrecy Period Some groups have being practicing “security through obscurity”, relying on flaws not known and attackers being unlikely to find them. Small groups of interested parties were unwilling to disclose them to the masses. As these bugs were slowly found by others or passed on to vendors, they eventually got fixed. This “security through obscurity” approach didn’t lead to secure software. Before the disclosure policy was introduced, the software companies were inclined to take no notice of the vulnerability reported by security researchers and trusted the vulnerability secrecy. Furthermore, it was considered to be an ‘illegal action’ if security researchers disclosed vulnerabilities (Schneier, 2007). CERT (Computer Emergency Response Team) was established by DARPA (The Defense Advance

Research Projects Agency) in 1988 to coordinate and respond to internet attacks, including vulnerability reports (Schneier, 2000b). Over the years, CERT has acted as a central agency for reporting of vulnerabilities. Researchers are supposed to report discovered vulnerabilities to CERT. CERT will verify the vulnerability and silently inform the vendor and make public the details (and the fix) once patches are available. In sum, people were keeping software vulnerabilities secret. Vulnerability concealment has been criticized for causing a significant delay between vulnerability finding and patch development. Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security and hinders security education that leads to improvement.

Vulnerability Disclosure Period The full-disclosure movement started because of the dissatisfaction with the previous “slow” process. CERT obtained a great number of vulnerability reports, but it was very slow in verifying them; also the vendors were slow to fix the vulnerabilities after the notification and, to worsen matters, CERT was slow to publish reports even after the patches were released (Schneier, 2000b). Well-known security mailing lists such as Bugtraq (begun in 1993) and NT Bugtraq (begun in 1997) became a shared forum for people believing that the only way to improve security was to publicize the problems (Rauch, 1999; Schneier, 2000b, 2007). In this approach, vulnerabilities and solutions are disclosed and discussed openly. In essence, full-disclosure is the practice of making the details of security vulnerabilities public. Since 1995, the growth of people participating in “full disclosure” has increased significantly (Rauch, 1999). The proponents of this idea believe that the policy will force vendors to be more responsive in fixing vulnerabilities and security will im-


prove (Rauch, 1999). Full disclosure proponents argue that public scrutiny is the only reliable way to improve security (Levy, 2001; Schneier, 2000a, 2000b, 2001, 2007). Keeping software vulnerabilities secret was intended to protect the information out of hands of the hackers. But hackers have proven to be skillful at discovering unknown vulnerabilities, and full disclosure is the only reason why vendors regularly patch their systems. Critics of the full-disclosure movement especially point out that hackers at the same time can use these mailing lists to learn about vulnerabilities and write attack programs (called “exploits”). Before public vulnerability disclosure, the actors exploiting the vulnerability would only be the ones who discovered it, and they could only compromise a finite number of machines. If they did use automated exploits or used a worm, the chances of being discovered were high and their zero-day backdoor became publicly known and subsequently patched. However, after the vulnerability is publicly disclosed, the world learns about

Table 2. Summary of the reasons of proponents and opponents of the full disclosure (FD) Disagree

Agree

•

Nobody except researchers need to know the details of flaws

•

FD helps the good guys more than the bad guys

•

FD results in information anarchy

•

Effective security cannot be based on obscurity

•

Good guys who publish virus code may also have malicious intentions

•

Making vulnerabilities public is an important tool in forcing vendors to improve their products

•

Safer if researchers keep details about vulnerabilities and stop arming hackers with offensive tools

•

If an exploit is known and not shared, the vendor might be slower to fix the hole

•

The risk associated with the publishing information outstrip its benefit

•

•

FD serves to arm hackers with tools to break systems

Sha r i ng i n for mat ion security with other professionals is an absolute necessity

the flaw, and the number of computer victims will increase significantly (Grimes, 2005). The debates between proponents and opponents of full disclosure can be summarized as follows:

Responsible Disclosure Period Accordingly, software companies and some security researchers proposed “responsible disclosure”. This movement appeared because a number of security researchers considered that the negative effects of full disclosure were greater than the positive impacts. The basic idea is that the threat of publishing the vulnerability is almost as good as actually publishing it. A responsible researcher would quietly notify the vulnerability to the software vendor and provide a deadline to work on patching, before the vulnerability is disclosed. CERT/CC (2000) introduced a new vulnerability disclosure policy, although the information security community still has doubts about this proposal (CyberEye, 2001). All vulnerabilities reported will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. In addition, pressure came from a coalition of well-known software developers and some security companies established to push a standard policy of limiting public disclosure of security vulnerability (Middleton, 2001), and a number of guidelines are currently available to govern the relationship between the vendors and the vulnerability reporter. Software vendors and security research firms have begun to jointly develop a unified framework for vulnerability disclosure under OIS Guidelines (Organization for Internet Safety) (2004). Some issues that may appear from responsible disclosure have been also discussed by Cavusoglu et.al (2005). Presently full disclosure and responsible disclosure are practiced simultaneously.


Emergence of Theories and Practices “Legitimate” Market This sub-section describes the current theoretical markets proposal and expansion of the vulnerability markets. The objective is to understand the black market issue under the current development. In line with the vulnerability disclosure debates and the emergence of the economics of information security in early 2000s, a new “stream”, the so-called “Market” approach surfaces, both at the theoretical and practical level. Economics of information security is becoming a thriving and fast moving discipline that merges the economic considerations and economic theories into the computer security field. Anderson (2001), one among the originators, argues that most security problems cannot be solved by technical means only; instead, microeconomics terms are more able to explain security problems (Anderson & Moore, 2006). Schneier advocates that economics has appropriate theories to deal with computer security issues (Schneier, 2006). On the theoretical level, economics of vulnerabilities is becoming one fast-developed subject among other concentrations in the field of economics of information security. The initial thoughts on the economics of vulnerabilities concerns measuring software security through market mechanisms. Camp and Wolfram (2004), propose a market through which vulnerability findings could be traded; such markets have worked previously to create incentives for the reduction of negative externalities like environment pollutants. Schechter (2002) proposes creating markets for reports of previously undiscovered vulnerabilities, while Ozment (2004) suggests a vulnerability market as an auction. Böhme (2006) adds possible market forms, i.e., vulnerability brokers, exploit derivatives and cyber-insurance in the vulnerability market discussion. His objectives are to compare the best vulnerability market type to trade security-related information and to

10

find which type serves best to counter security market failures. However, Kannan and Telang (2005) criticize that the business models of these organizations are not socially optimal and Rescola (2005) finds no support for the usefulness of vulnerability finding and disclosure. On a practical level, the ‘legitimate’ market for vulnerabilities is developing as well. Apparently, this is also a period of “commercialization” of vulnerability research. Sutton and Nagle (2006) wrote a paper based on the model that already exists in various markets rather than a theoretical model and classifies the current vulnerability market divisions as government market, open market, underground market, auction market and vendor market. iDefense announced the VCP (Vulnerability Contributor Program) in one security mailing list in 2002, offering rewards for verified vulnerability information. In 2004, Mozilla Foundation offered payment to those who find critical security flaws in its product, including the Firefox Web browser (Lemos, 2004), TippingPoint announced the ZDI (Zero Day Initiative) in 2005 (Evers, 2007) and Digital Armaments creates DACP (Digital Armaments Contribution Program) at the end of 2005. In 2007, two new marketplaces emerged: Netragard with EAP (Exploits Acquisition Program), and Wabisabi Labi as an auction site. The latter company claims only to provide a market place (and not to buy the vulnerabilities). The company acts as a mediator to bridge sellers and buyers in four schemes: traditional auction (the winner is the best bidder), Dutch auction (allow more than one winner), buy now (allow the bidders buy immediately) and buy exclusively (allow the buyer to buy the item, and close the auction). Unfortunately, EAP from Netragard only had a short lifespan. In March 2008 (after it had operated for approximately fourteen months), the program was shut down. Concerning those market places, Ozment and Schechter (2006) criticize the obscurity of the price of vulnerabilities that hinders development toward an open market. The weakness of


all market-based approaches is that they may increase the number of identified vulnerabilities by compensating people who would otherwise not search for flaws.

A Summary of the Vulnerability Discovery Discussion We return to the initial question about the historical order of black markets, disclosure movement and legitimate markets. The previous historical depiction shows that the underground movement may already have existed before the vulnerability disclosure policy. Some full disclosure proponents who disagree with the opponent of this movement, point out that vulnerabilities have been known by attackers and circulated quietly in the hacker underground for months or years before the vendor ever found out. Therefore faster vulnerability publication is considered a better action (Schneier, 2000b). This situation indicates that the security community was already aware that an underground movement existed before the full disclosure movement. However, the emergence of the BMs may be a new phenomenon, and be driven by economic motives. If we observe carefully, as full disclosure is implemented, there is an indication that the information from full disclosure discussions in the mailing lists may also be traded among the underground actors looking to break into machines (Rauch, 1999). Furthermore, Rauch concludes that full disclosure results in a grey market economy in exploits. This market broadens the options for independent “vulnerability researchers” to sell their findings to security companies or spyware manufacturers, whichever bid higher. Regarding the question of whether the legal market’s (LM) motivation is to attract the security researcher from BM, we found claims that part of the justification of the market establishment is to give better rewards to security researchers. However, some critics of current market practice point out the inability of legitimate markets to

acquire critical vulnerabilities (Evers, 2007). Malicious actors want to keep those vulnerabilities for themselves and use them to exploit systems in the wild, and it is doubtful that the underground hackers are motivated to sell vulnerabilities to the security company if they earn more by holding the vulnerability information private.

The Dynamic Model of the BMS The Basic Modeling Approach and Observation Our motivation for investigating these problems using system dynamic modeling is to ascertain future trends. System dynamics (SD) is a methodology for modeling and simulating dynamic, non-linear systems describing real world issues. SD captures non-linearity and time delays in complex systems, as well as feedback loops and their interactions. Outputs of SD modeling include causal maps, causal map analysis, ‘dynamic stories’ that visualize the behavior of complex security systems, leading to team/organizational learning and to policies to manage complex systems. Sterman (2000) wraps up in a brief statement that system dynamics is a method to enhance learning in complex systems. Indeed, the markets for software vulnerabilities are far too complex to be captured in a simple model. Therefore, we target a particular problem relating to BMs rather than attempting to capture all issues surrounding BMs in their full complexity Our belief of the existence of the BMs or underground markets does not only rely on news and reports, but it is also grounded in our disguised observation of twelve websites comprising tangible BM forums. A limitation of our observations is that we have only been able to examine black markets that are trading exploits and malware, and not direct trading of the vulnerability information.

11


Certainly, we noticed that the BMs do not only trade exploits and malware, but also other illegal items such as stolen personal information and credit card trading, bank logins, compromised hosting sites, etc. We could measure the “growth” of the BMs from a macro perspective, i.e., the number of underground websites with black market forums. We could also observe them from a micro perspective, i.e., the development of the individual BM grows especially in trading advertising volume and the membership. In this chapter, we will mainly focus on the macro perspective. The purpose of the modeling in this chapter is to answer the questions: What factors affect the spread of the black markets and what is the possible future growth of the markets?

Methods We began our data collection by observing the contributions and discussions on hacker websites that feature an explicit Black Market (BM), marketplace or trading forum. Once sites were identified, we visited them and observed the activities related to zero-day exploit and other vulnerabilityrelated attack tools. We could observe the market’s dynamic from message boards or IRC networks. Both of these mediums are usually accessible to visitors. In this research mode, quiet observation without participating or interfering with the actors is a viable technique for data capture. Data was retrieved from the site’s public interface, without other access to the server functions. Most of observed BM forums require registration with a valid email address. During this study, we registered on boards with an anonymous email address, disguising our identity so that we could explore all message board areas. We found 12 BM forums that we coded as W1…W12. Then, we identified an additional five emerging BM forums. In Figure 2, we coded those new forums as N1 … N5. We didn’t use them in our analysis because of their short historical

12

records. Nevertheless, this indicates that more forums are appearing. Unlike other studies, such as conducted by Zhuge et al. (2007) that search malicious websites using automatic techniques, our searching was performed manually. We coded, categorized the information and analyzed all postings in each forum. Based on the available forums, we note that BMs develop over time. We could trace the starting time of each forum from the first posting, mostly performed by the webmasters who set the rules for the forum. Among those twelve forums, we are only able to trace ten forums with first posting history. Our observation of BM sites indicates common traits across the different BMs in various websites: •

•

The most basic characteristic of the forum is that their presence is typically combined with intermittent downtime. The consequences of this behavior are that there is a period where many people join the market and cause peaks in buying-selling-trading activities. There are periods when marketplaces become unavailable. However, the reason for the accessibility problem is not only triggered by the forum availability, but also by the forum rules. The availability of the forum rules are a part of the BM’s characteristics. There are differences between large forums and smaller forums. We differentiate the forum size from a number of participants in the website (less or over 15,000 registrants), the continuity of new advertisement in the forum over time (sometime only a few advertisements in small forums over several months) and forum’s sustainability (the ability to sustain the forums. Small forums tend to frequently be shut down). Large forums have tighter rules and easily exclude or “ban” participants who do not follow the rules of the forum. Some forums even create “criteria” for


•

•

potential participants intending to enter the exploit circulating in the black market BM forum. might be detected when it is used against a Furthermore, big BM forums develop verisystem. fication procedures to be passed before new participants can trade in the forum. On the Reference Mode other hand, small forums have less stringent rules and allow people to freely enter the Reference behavior modes should be provided market. But not many visitors are interested before starting the modeling process (1980; in posting or trading in small forums and, Richardson & Pugh, 1981), that is, a plot of the thus, small forums tend to stagnate over behavior of key variables of the system over time. time. The reference behavior modes capture historical Figure 2. Observed BMs based on history in BMmodels Forum (Source: Observation The observed markets dodevelopment not conduct di-first posting data, mental and policy behavior. As prefrom BMs Forum) rect vulnerability information trading, but viously mentioned, the modeling approach aims # of BMs mostly exploits, malware and other malicious at finding the answer as to which factors affect tools. Usually security companies or vendors 16 the spread of the black markets and what is the N5 would learn14about unknown vulnerabilities possible future growth of the markets. Confidence N4 N3 N 2 when they 12are exploited. For example, an on such answers depends on the SD model being N1 10

8

W10 W7

W12 W11

6 Figure 2. Observed BMs development based onW3 first postinghistory history ininBM Forum (Source: Observation Figure 2. Observed BMs development based on first posting BM Forum (source: Observation W2 from Forum) 4 BMs W6 W9 W8 from BMs Forum) W1 2

# of BMs

16

Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07 Feb-07 Mar-07 Apr-07 May-07 Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07 Jan-08 Feb-08 Mar-08 Apr-08 May-08

0

14 12

N1

N3 N2

N5 N4

Apr-06 May-06 Jun-06 Jul-06 Aug-06 Sep-06 Oct-06 Nov-06 Dec-06 Jan-07 Feb-07 Mar-07 Apr-07 May-07 Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07 Jan-08 Feb-08 Mar-08 Apr-08 May-08

10 scale, we hypothesized that BMs would increaseW12over time across the Internet, On a macro W11 W10 due to the unstable capability of although in a8 micro or individual scale, they might fluctuate W7 some individual forums to maintain the websites. Figure 2 demonstrates the development of 6 W3 W2 observed BMs and shows an increasing trend. Labels such as W1, W2… and W12 indicate the 4 W6 W9 W8 These statistics are limited to the BMs that we could examine. emergence of BM forums. W1 Perhaps, the 2number of BMs forums with various trading styles are numerous and scattered in 0 underground websites. Automatic searching approach in Chinese websites alone various online done by Zhuge et al. (2007) who identified 2,149 malicious websites. However, the study does not mention a number of specific black markets among this function since it focuses on how these malicious websites try to redirect the visitors to the Web-based Trojans.

On a macro scale, we hypothesized that BMs would increase over time across the Internet,

Figure 3. Reference Mode Figure 3. Reference mode although in a micro or individual scale, they might fluctuate due to the unstable capability of

some individual forums to maintain the websites. Figure 2 demonstrates the development of observed BMs and shows an increasing trend. Labels such as W1, W2… and W12 indicate the emergence of BM forums. These statistics are limited to the BMs that we could examine. Perhaps, the number of BMs forums with various trading styles are numerous and scattered in various online underground websites. Automatic searching approach in Chinese websites alone done by Zhuge et al. (2007) who identified 2,149 malicious websites. However, the study does not mention a number of specific black markets among this function since it focuses on how these malicious websites try to redirect the visitors to the Web-based Trojans. Figure 3. Reference Mode

13


able to reproduce the reference behavior modes for the right reasons. On a macro scale, we hypothesized that BMs would increase over time across the Internet, although in a micro or individual scale, they might fluctuate due to the unstable capability of some individual forums to maintain the websites. Figure 2 demonstrates the development of observed BMs and shows an increasing trend. Labels such as W1, W2… and W12 indicate the emergence of BM forums. These statistics are limited to the BMs that we could examine. Perhaps, the number of BMs forums with various trading styles are numerous and scattered in various online underground websites. Automatic searching approach in Chinese websites alone done by Zhuge et al. (2007) who identified 2,149 malicious websites. However, the study does not mention a number of specific black markets among this function since it focuses on how these malicious websites try to redirect the visitors to the Web-based Trojans. Building upon Figure 2, we hypothesize the reference mode of BM future behavior (Figure 3, path a) as a consequence of two conditions: with or without specific policy. The curve shows unexpected BM’s growth due to the absence of any policy intervention to diminish the BMs’ spread.

However, when discretionary operations to “disrupt” underground market are carried out, there are still two possible results, desirable and undesirable. Undesirable development is represented by the S-shaped and sustained growth curve (path b). This situation may happen because of individual website’s protection mechanisms. In avoidance of repressive actions toward underground markets or risks of being a hacked or attack target, individual website may be hidden temporarily, the website redirected to a new place, the hosting place changed or a new site re-established. Desirable advancement occurs when policy intervention causes the market to gradually collapse over time. Effective policy intervention will hopefully reduce the activities. The situation is illustrated by the curve c, with collapse and decay. Indeed, there are natural reasons for BMs decay. A weak BM forum leads participants to doubt the “safety” of their underground transaction. An unpopular websites cause BMs arena less attractive. Too few visitors or participants restrain the potential sellers or buyers enter the market. Or a BM could decay simply because the participants distrust the forum. However, the fraction may be small compared with the development itself.

Figure 4. The flow of vulnerabilities

Black Markets

BM Participants

BM Trading Rate

Unrecognized Vulnerabilities

14

Vulnerabilities Discovered by Black Hat Hackers Black Hat Hackers LM Trading Rate Discovery Rate

Vulnerabilities with Exploit Traded in Black Market Vulnerabilities Traded in Legal Market

Vulnerability obsolescence rate

Fixed Rate from Legal Market

Patched Vulnerabilities


Therefore, the focus on policy intervention to produce desired results is important.

these two important factors into two sub-models, illustrated in Figure 5 and 6. The following dynamic story behind this model building is developed based on the aforementioned observation on underground websites. The stock of “Black Markets” increases by establishment of BM instances and decreases by stagnation and disappearance instances. The latter process is represented by “BM Decay Rate”. A possible cause of stagnation would be that the forum didn’t attract enough participants, that visitors did not conduct trade or posting advertisements or frequent forum downtime. Additional reasons could be inability of the webmasters to promote the sites to acquire more potential visitors and gain trust from the participants. We found examples of such cases in forum W3 (gone and reborn as a new forum without BM features), W10 (BM is available but with only 3 postings within 6 months) and W8 (it slowly develops in the beginning and stagnates). Furthermore, we identify three aspects influencing BMs establishment: BM existence, opportunity and process grasp. We captured those

Simple Dynamic Model of BM Spreads In previous work (Radianti & Gonzalez, 2007) we have already identified the flow of vulnerabilities from unrecognized vulnerabilities, discovered and traded to patched vulnerabilities, as illustrated in Figure 4. However, the model for this chapter will focus on the development of black market sites and BM participants’ growth (two hexagons) that furthermore may affect the vulnerability with exploit trading. Note that in the model description, rectangles represent stocks of variables (e.g. of vulnerabilities); double line arrows with valves and cloud symbols represent flows; thinner arrows indicate causal influences; arrows with minus signs indicate inverse causal influence. Vulnerability exploits and malware trading is facilitated by the availability of BMs, as well as the availability of the participants. We capture Figure 5. BM establishment sub model Black Markets

BM Establishment Rate +

+

+

-

Average Black Market Life Time

+ +

BM Existence

Effect of BM Knowledge on BM Establishment

+ BM Decay Rate

BM Feasibility -

+

Information Absorption Among Participants +

Opportunity

Black Markets Saturation Level

-

BMs Establishment Driven Process Grasp

Knowledge of BM's Operation

+

+

Exchange Factor

Learning Rate + Knowledge gain per person

15


three factors in two reinforcing loops (marked with positive sign) and one balancing loop (negative sign) as shown in Figure 5. The balancing loop counteracts black market growth and it can even suppress growth if the balancing loop is stronger than the reinforcing loops. Process Grasp loop: We assume that learning occurs among underground actors, triggering duplication processes to imitate the previously available BM forums. Available markets provide a chance for underground actors to learn the BM market process, mechanism and operations. We did observe that some administrators/moderators of certain BM forums were participants in the W1 forum, one of the oldest and biggest BMs. Imitation process manifested in how the newer forum reproduce similar rule and verification process. The Process Grasp loop captures this procedure imitation. The more the participants have direct and indirect contacts, the more the participants learn about the BM operation. Accumulated knowledge will motivate some underground activists to extend their hacker website by opening a market forum. Opportunity loop: Online BMs may be triggered by many reasons and this opens opportunities for establishment of new BM instances. For some underground actors the available markets may not fulfill their expectations. For example, a BM specializes in trading specific malware, i.e. specialized on various types of packers and binders. A packer is a “compression tool” to take known Trojan executables and compress them so that they are unrecognizable to anti virus software. Binders are programs that allow hackers to “bind” two or more executables together resulting in one single .exe file. The inserting Trojan executables files are commonly passed as email attachments. Some sites permit participants to buy-sell trade various personal identities, hacked credit cards, including CVV2 information. In other forums, similar commodities are prohibited. Some sites mostly focus on zero-day exploits and malware trading. Another BM applies very restricted

16

rules and tight verification procedures, otherwise disobedient participants cannot advertise in the forum. All diverse needs and demands of the underground community that are not fulfilled by existing BMs, either because they are too restricted or too specialized, create opportunities for other types of BMs, i.e., with less tight regulations, allowing credit cards trading besides exploits and malware. We capture the “space” for creating BMs by a concept of “BM Feasibility”. BM Feasibility is the ratio of existing “Black Markets” to “Black Markets Saturation Level”. If the ratio is still low, i.e., space is still available and it is still possible to attract underground actors to enter BMs, the “BMs Establishment Driven” will be high. As the markets grow, near to the saturation level, or even experiences double or triple growth, fewer actors try to open new forums. BM Existence loop: BM existence also reinforces BM establishment. We could trace new BM forums based on links or advertising in other BM websites. This is only an example for how the existing black market could serve as a reinforcing agent to spread more BM forums. Now we shift our focus to the BM Participants Sub-model illustrated in Figure 6. BM participants play an important role to expand the BMs: They serve as agents who keep the BM forum alive with postings, discussions and advertising for buying and selling exploits, malware and other malicious tools. They may transfer insights about black market operation from big and well-known forums to smaller, emergent forums. As shown in Figure 4, the BM Participants (Figure 6) submodel contains a feedback to the BM sub-model (to reinforce the BM establishment). On the other hand, the BM sub-model also provides a link to the BM Participants sub model (served as attractiveness for visitors to enter the BM). The stock of “BM Participants” increases by the inflow of “Entering BM” and decreases by the outflow “Leaving BM”. Three main feedback loops capture the dynamics of BM Participants: BM


Doorway loop (reinforcing, positive), Elimination loop (reinforcing, positive) and Restraining loop (balancing, negative). BM Doorway loop: This external reinforcing loop adds to the flow of new participants entering the BM. There are two possibilities for how visitors may become BM participants. First, they may have direct information contact from colleagues or friends, simply because they belong to an underground community with higher likelihood to access the development of BMs. Second, they may search the Internet, find the site and become intrigued enough to join the forum. Therefore, the “New Participants” variable in this model is affected by the development of active BM participants, “Potential Website Visitors” and “Contact rate”. However, we need to differentiate the contact rate in this sub-model and in the previous sub-model that is captured by “Information Absorption among Participants” and “Exchange Factor”. The latter is connected to the process of grasping the BM idea. The former is related to the willingness and possibility of visitors to be in a BM forum. The concept describes the possibility Figure 6. BM participants sub model Contact Rate

+

New Participants

and intensity of contacts involving the ordinary websites visitors and underground community. Restraining loop: This loop captures the internal process of how the administrator maintains the forum. Our observations indicate that there are differences between small forums and big forums, and between new and old forums, in regulating the BM participants. A new and small forum tends to be less regulated, and on the other hand, bigger forums often apply quite strict regulations and treatment to the BM participants. Apparently, there are in many cases criteria to be met by the participants before they are allowed to enter the forum, such as: they’re willing to be verified by moderator or administrator; they won’t annoy the forum and flame other members, or other behavior that could reduce the forum’s credibility; and, they won’t trade prohibited items in the BM forums. One forum operates with several stages before excluding the participants, such as: first warning, second warning, currently banned and banned status. Another forum will simply put a “banned” label to the participants, and block them from further posting. If they post advertisements,

+

Potential website visitors

+

+

BM Doorway +

Attractiveness from BMs Development

+ Entering BM

+ Effect of evaluation on joining barrier

Evaluation from participants ratio +

BM Participants

-

Leaving BM +

Restraining Effect of evaluation on participants + discarding rate Elimination

Rule Obeying Participants

Duration of Activity in BM

Participants Ratio +

+ Perception on Rule Disobeying Participants Change in Perception of Participants

17


the administrator may remove the texts or lock participant discarding rate, and higher ration of the advertisement thread. disobeying participants will increase their elimiFrom the aforementioned description, we nation from the forum. capture that the BM administrator has a perception from existing BM participants, that some of Simulation them may disobey the forum rules. To capture this situation, we create a variable called “BM The SD approach uses computer-aided modeling. Participants Ratio” to represent a comparison Several software tools are available for performbetween a perception of rule disobeying paring SD simulations. We use the Vensim software ticipants and rule obeying participants. Again, for our simulation, which is arguably the most there is a delay to recognize whether the ratio popular one in the SD field. increases via an evaluation process. The state of For our initial simulation runs we examined the ratio affects two things in managing the BM three scenarios within a 200 weeks time horiparticipants: the joining barrier and the participant zon (Figure 7). The first scenario (‘Base Run’) discarding rate. represents the absence of policy intervention The doorway to the BM is represented by a concerning the BMs’ presence. We assume that non-linear table function. If the ratio is very low, initially one BM is present. Assuming that all the doorway is highly open. In other words, there structures and feedback loops in the model (Figure will be fewer barriers to enter the market. But if 5 and 6) have captured the essential connection the ratio of disobeying participants increases, among the main important factors affecting the the doorway will be tighter, and only a small BM spread, the base run simulation (number 1) fraction of potential visitors will be allowed to demonstrates that the number of BMs is likely to join the BM. increase over time. Elimination loop: a similar evaluation afThe second scenario we call “BM Life Time”. fects the participant discarding rate. Low ratio example ofaan shorten For our initial simulation runs we examined three An scenarios within 200action weeksto time horizonBM life time (Figure 7). The first scenario (‘Base Run’)the representswas the absence of policy intervention of disobeying participants will slow down an investigation that targets underground concerning the BMs’ presence. We assume that initially one BM is present. Assuming that all structures and feedback loops in the model (Figure 5 and 6) have captured the essential connection among the main important factors affecting the BM spread, the base run simulation (number 1) demonstrates that the number of BMs is likely to increase over time.

Figure 7. Simulation results of black markets development 25 18.75

Markets

12.5

6.25 0

0

20

40

60

80 100 120 Time (Week)

140

160

180

200

Base Run markets BM Life Time markets markets Market Disruption

Figure 7 Simulation Results of Black Markets Development 18

The second scenario we call “BM Life Time”. An example of an action to shorten BM life time was an investigation that targets underground hacker organizations, such as implemented by U.S. Secret Service, called “Operation Firewall” (Francis, 2005) . The operation, conducted in


hacker organizations, such as implemented by U.S. Secret Service, called “Operation Firewall” (Francis, 2005) . The operation, conducted in the late of 2004, intended to disrupt the organized online criminal activity that was threatening the financial infrastructure in the US. To capture such countermeasure policy against underground operations, we used a parameter called “Average BM Life Time”. We can modify the value for this parameter, i.e., by putting smaller values, to observe the dynamic of the BMs over time. In this second scenario, we could observe that the BM’s growth is slower and flattens out. As previously explained, the intended operation to disrupt the underground sites’ life may actually only provide short-term downtime of the website. In the case of Operation Firewall, some people were arrested because of alleged involvement in global organized cyber crime. Also two wellknown examples where the black markets were shut down from a similar operation are the cases of shadowcrew.com and carderplanet.com. However, it is still a big question if the old websites are totally gone or if in the long-run certain websites do reappear with different names. Often BM sites are only temporarily down and reactivate after less pressure toward underground online trading. The third scenario we call “Market Disruption”. It intends to capture a suggestion (Franklin et al., 2007) to disrupt the market by creating distrust surrounding the BM participants so that they will leave the markets through defamation, or by undercutting the website participants’ verification system. The previous assumption in the second simulation is also applied in the third scenario. We assume smaller values for the “Exchange Factors” in the model as well as for “Average BM Life Time”. The simulation shows the growth and collapse of the BM number. In this simulation, the knowledge accumulation does not happen because the distrust among participants reduces learning exchange and market growth. The BMs also decline quicker in this scenario because of faster BM decay rate.

Learning from Model and Future Trends Developing a model is a method to capture reality. Performing a simulation is a risk free method to learn about the implications of various decisions. The reliability of the conclusions derived from the simulation results depends on how well the model represents the structure of reality, the robustness of the model and the underlying assumptions behind the model. By making the assumptions of our models explicit and presenting the simulation of potentially interesting scenarios, we hope to initiate a fruitful discussion among experts and to get constructive feedback to further improve our models and hopefully to increase understanding of how BMs perform. The model structure presented in the previous section suggests that imitation processes may happen among the underground actors and may push further development of the black market. Initiatives to temporarily disrupt the markets may be not yield a sustainable effect to stop the BM operation, since the participants are too many to be caught and the possibilities to create similar forum are so wide. Our observation and simulation suggest several possible future trends regarding the BM issue: •

•

•

The number of black markets for trading vulnerabilities zero day exploits, malware and other commodities for malicious purposes are likely to grow over time. As a consequence, theoretically the proliferation of cyber-attacks linked to the BMs spread is likely to increase as well. Various possible underground contacts are actually one critical point that affects the black market growth, more than the existence of the BM sites itself. Because once malicious actors learn about the success of BM operation, the Internet provides immense possibilities to develop similar forums.

19


•

Apparently, underground actors benefit from BMs’ development since it extends the possibility to reach wider potential buyers and sellers. The ground for this is our observation where BM participants do not enter only one BM, but they also try to advertise the same products to multiple BM forums.

Conclusion Cyber threats are a complex problem to solve, especially if they involve hidden malicious activities. The malicious actors may operate across a nation’s border in performing illicit efforts. To keep the computer system safe from any harmful activities, all parties who deal in cyber space should be aware that any form of intangible threats may endanger these attempts. Our initial questions for the modeling effort are to answer whether the numbers of BMs increase and how the black markets spread. Our observation on BMs strengthens the hypotheses that BMs tend to increase. Recognizing the factors affecting BMs’ establishment is important to understand the dominant traits and characters that reinforce the BM’s growth. We find some possible factors affecting the spread: the existence of markets itself (create attractiveness for malicious actors to enter the forum) and the existence of the transmission agents, i.e., BM participants who may imitate similar forums in different websites. We believe there are many feedback loops that govern the behavior of BM systems. The use of an SD modeling technique is helpful to elaborate the problem and build an understanding about intertwined factors affecting the BM problem. We expect our approach will elicit an exchange with readers and experts, as to the underlying structural assumption of the model and plausibility of its behavior over time.

20

References Anderson, R. (2001). Why information security is hard, an economic perspective. Paper presented at the 17th Annual Computer Security Applications Conference. Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314, 610-613. Bajada, C., & Schneider, F. (2005). Size, causes and consequences of the underground economy: An International Perspective. Ashgate: Aldershot. Boulding, K. E. (1947). A note on the theory of the black market. The Canadian Journal of Economics and Political Science / Revue canadienne d’Economique et de Science politique, 13(1), 115-118. Böhme, R. (2006). A comparison of market approaches to software vulnerability disclosure. Paper presented at the International Conference, ETRICS 2006, LNCS 3995 Freiburg, Germany. Camp, L. J., & Wolfram, C. (2004). Pricing security, a market in vulnerabilities. In L. J. Camp & S. Lewis (Eds.), Economics of Information Security. Boston: Kluwer Academic Publishers. Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2005). Emerging issues in responsible vulnerability disclosure. Paper presented at the 4th Workshop of Economic and Information Security (WEIS), Cambridge, MA, USA. CERT/CC. (2000). Vulnerability disclosure policy. CERT Coordination Center. Retrieved June 10, 2007. Clinard, M. B. (1969). The Black market: a study of white collar crime. Montclair, New Jersey: Patterson Smith. Coase, R. H. (1988). The Firm, the market and the law. Chicago: The University of Chicago.


CyberEye. (2001). CERT’s full-disclosure policy is responsible, but mistrust remains. Retrieved April, 15, 2007, from http://www.gcn.com/state/ vol7_no1/tech-report/946-1.html DeLong, J. B., & Froomkin, A. M (2000). Speculative microeconomics for tomorrow’s Economy. In H. R. Varian (Ed.), Internet publishing & beyond: The economics of digital information & intellectual. Cambridge, MA, USA: MIT Press. Du, W., & Mathur, A. P. (1998). Categorization of software errors that led to security breaches. Paper presented at the 21st National Information Systems Security Conference, Crystal City, Virginia, VA. Evers, J. (2007). Offering a bounty for security bugs [Electronic Version], 2007. Retrieved from http://news.com.com/Offering+a+bounty+for+se curity+bugs/2100-7350_3-5802411.html?tag=sas. email Francis, B. (2005). Know thy hacker. Retrieved April 28, 2007, from http://www.infoworld.com/ article/05/01/28/05OPsecadvise_1.html Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An inquiry into the nature and causes of the wealth of internet miscreants. Paper presented at the 14 th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, USA. Gravelle, H., & Rees, R. (1981). Microeconomics. London: Longman. Grimes, R. A. (2005). The full disclosure debate. Retrieved June 19, 2007, from http://www. infoworld.com/article/05/09/30/40OPsecadvise_ 1.html IBM. (2007). IBM internet security systems XForce 2006 trend statistics [Electronic Version]. Retrieved January, from http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf

Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726-740. Landwehr, C. E., Bull, A. R., Mc. Dermott, J. P., & Choi, W. S. (1994). A taxonomy of computer program security flaws, with examples. ACM Computing Surveys, 26(3). Lemos, R. (2004). Mozilla puts bounty on bugs. Retrieved June 10, 2007, from http://news.com. com/Mozilla+puts+bounty+on+bugs/21001002_3-5293659.html Levy, E. (2001). Full disclosure is a necessary evil. Retrieved June 10, 2007, from http://www. securityfocus.com/news/238 Middleton, J. (2001). Coalition condemns full disclosure. Retrieved April 10 2007, from http:// www.vnunet.com/vnunet/news/2116546/coalition-condemns-full-disclosure OIS. (2004). Guidelines for security vulnerability reporting and response [Electronic Version], 2007, from http://www.oisafety.org/guidelines/ Ozment, A. (2004). Bug auctions: vulnerability market reconsidered. Paper presented at the Workshop of Economics and Information Security (WEIS), Minneapolis, MN. Ozment, A., & Schechter, S. (2006). Milk or wine: does software security improve with age? Paper presented at the The Fifteenth Usenix Security Symposium. July 31 - August 4 2006, Vancouver, BC, Canada. PandaLabs. (2007). Quarterly report PandaLabs [Electronic Version]. Retrieved July 15, 2007, from http://www.pandasecurity.com/ Parkin, M., Powell, M., & Matthews, K. Economics. (2005). Harlow, England: Pearson Addison Wesley. Perloff, J. M. (2007). Microeconomics (Fourth Edition ed.). Boston: Pearson, Addison Wesley.

21


Radianti, J., & Gonzalez, J. J. (2007). A preliminary model of the vulnerability black market. Paper presented at the the 25th International System Dynamics Conference Boston, USA.

Schneier, B. (2006). Economics and information security. Retrieved December 12, 2006, from http://www.schneier.com/blog/archives/2006/06/ economics_and_i_1.html

Randers, J. (1980). Elements of the system dynamics method. Cambridge, Massachusetts: The MIT Press.

Schneier, B. (2007). Schneier: full disclosure of security vulnerabilities a ‘damned good idea’. Retrieved June 19, 2007, from http://www.schneier.com/essay-146.html

Rauch, J. (1999). The Future of vulnerability disclosure? Retrieved June 19, 2007, from http:// www.usenix.org/publications/login/1999-11/features/disclosure.html Ray, S. K. (1981). Economics of the black market. Boulder, Colorado: Westview Press. Rescola, E. (2004). Is finding security holes a good idea? Paper presented at the The Third Workshop on the Economics of Information Security, Minneapolis. Richardson, G. P., & Alexander L. Pugh III. (1981). Introduction to system dynamics modeling. Portland, Oregon: Productivity Press. Schechter, S. (2002). How to buy better testing: using competition to get the most security and robustness for your dollar. Paper presented at the Infrastructures Security Conference, Bristol, UK. Schneier, B. (2000a). Full disclosure and the window of exposure. Crypto-Gram Newsletter Retrieved March 10, 2006, from http://www. schneier.com/crypto-gram-0009.html#1 Schneier, B. (2000b). Publicizing vulnerabilities. Retrieved April 10, 2007, from http://www.schneier.com/crypto-gram-0002.html Schneier, B. (2001). Bug secrecy vs. full disclosure. Retrieved April 10, 2007, from http://news.zdnet. com/2100-9595_22-531066.html

22

Seacord, R. C., & Householder, A. D. (2005). A structured approach to classifying security vulnerabilities. Retrieved December 22, 2005, from http://www.sei.cmu.edu/pub/documents/ 05.reports/pdf/05tn003.pdf Sterman, J. D. (2000). Business dynamics: systems thinking and modeling for a complex world. Boston: Irwin/McGraw-Hill. Sutton, M., & Nagle, F. (2006). Emerging economic models for vulnerability research. Paper presented at the The Fifth Workshop on the Economics of Information Security (WEIS), Robinson College, University of Cambridge, England. Symantec. (2008). Symantec Global Internet Threat Report: Trend for July - Dec 07, [Electronic Version]. Retrieved January, from http://eval. symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf Varian, H. R. (Ed). (2000). Internet publishing & beyond: the economics of digital information & intellectual.... Cambridge, MA, USA: MIT Press. Zhuge, J., Holz, T., Song, C., Guo, J., Han, X., & Zou, W. (2007). Studying malicious websites and the underground economy on the Chinese website [Electronic Version]. Honeyblog. Retrieved February 25, 2008, from http://honeyblog. org/archives/2007/12/summary.html